Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions
CVE-2024-34351

7.5HIGH

Key Information:

Vendor
Vercel
Status
Next.js
Vendor
CVE Published:
14 May 2024

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 17,200πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2024-34351?

CVE-2024-34351 is a vulnerability found in Next.js, a popular React framework that assists developers in building web applications. The vulnerability is characterized as a Server-Side Request Forgery (SSRF) issue that arises when a specific set of conditions is met, allowing an attacker to manipulate the Host header. If exploited, an attacker could make requests that seem to originate from the Next.js server itself, potentially leading to unauthorized access to internal resources. This situation can significantly jeopardize the integrity and confidentiality of data managed by web applications utilizing Next.js, affecting organizations that rely on this framework for their web solutions.

Technical Details

The SSRF vulnerability occurs under three specific conditions:

  1. Next.js must be self-hosted.
  2. The application must employ Server Actions.
  3. The Server Action must redirect to a relative path that begins with a /.

When these conditions align, an attacker can exploit the vulnerability by modifying the Host header, leading to unauthorized requests executed by the server. This flaw was addressed in the Next.js version 14.1.1, where mitigations were implemented to prevent such exploitation.

Impact of the Vulnerability

  1. Unauthorized Access: By exploiting CVE-2024-34351, an attacker could gain unauthorized access to internal servers and resources, potentially exposing sensitive information and leading to data breaches.

  2. Internal Resource Mapping: Attackers may use this vulnerability to map internal resources, discovering additional vulnerabilities or information that can be leveraged for further attacks.

  3. Compromised Application Integrity: The ability to manipulate requests as if they were coming from the server can result in actions that compromise the integrity of the application, including data manipulation or denial-of-service conditions.

Affected Version(s)

next.js >= 13.4.0, < 14.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Critical Next.js Vulnerability Let Attackers Compromise Server Operations

Two new vulnerabilities have been discovered in Next.js which were related to response queue poisoning and SSRF on certain Next.js versions.

8 months ago

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • Vulnerability published

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by CybersecurityNews

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ“ˆ

    Vulnerability started trending

  • Vulnerability Reserved

.